[GUIDE] Secure PhpMyAdmin

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
lemonadv
Posts: 6
Joined: Thu Feb 25, 2016 10:18 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby lemonadv » Thu Mar 03, 2016 9:17 pm

I fixed this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]

But again if I tried to login from VestaCP link the massage appear again:

Internal Server Error

What I'm doing wrong? I what to access the phpymyadmin only from vestacp link, not from: http://next2support.com/phpmyadmin/ for example.

www.rinku31
Posts: 21
Joined: Thu Jun 04, 2015 9:22 am

Re: [GUIDE] Secure PhpMyAdmin

Postby www.rinku31 » Fri Mar 04, 2016 7:33 am

I think it is more simple: (ubuntu 14.04)

Check this file >> /etc/phpmyadmin/config-db.php

it is:

Code: Select all

<?php
##
## database access settings in php format
## automatically generated from /etc/dbconfig-common/phpmyadmin.conf
## by /usr/sbin/dbconfig-generate-include
## Thu, 01 Mar 2016 08:48:52 -0500
##
## by default this file is managed via ucf, so you shouldn't have to
## worry about manual changes being silently discarded.  *however*,
## you'll probably also want to edit the configuration file mentioned
## above too.
##
$dbuser='phpmyadmin';
$dbpass='some pass will here';
$basepath='';
$dbname='phpmyadmin';
$dbserver='';
$dbport='';
$dbtype='mysql';


what we have to do is, login inside phpmyadmin using root and create a database phpmyadmin. and then add a new user phpmyadmin with same password some pass will here. and add this user to phpmyadmin database. Finally we have to import example/create_tables.sql table.

Logout and login again. errors gone !

lemonadv
Posts: 6
Joined: Thu Feb 25, 2016 10:18 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby lemonadv » Fri Mar 04, 2016 9:38 pm

I already do that! But this problem appear only when I put this in my .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(panel.)?next2support.com
RewriteRule .* - [F]

if not everything work fine! But I want to connect phpmyadmin only from VestaCP link.

pandabb
Posts: 192
Joined: Sat Aug 08, 2015 3:03 am

Re: [GUIDE] Secure PhpMyAdmin

Postby pandabb » Sat Dec 10, 2016 11:16 pm

Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess

anyone knows how to do this if using nginx-phpfpm ?

i saw one but dont know where to put my url on the code below. Can someone please add eg. if my server name is https://pong.pandabb.com

Code: Select all


location ~/([a-zA-Z0-9\.\-]*)/* {
    set $match "$1::$http_referer";
    if ($match !~* ^(.+)::http[s]*://[www]*[.]*\1.*$ ) {
        return 403;
    }
}

syedsaqib206
Posts: 1
Joined: Fri Apr 07, 2017 1:02 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby syedsaqib206 » Fri Apr 07, 2017 1:41 pm

All these precautions are good, but I have applied an extra security layer which is best to stop brute-forcing.

Example:-
create a php function that gets user ip.
e.g
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}

if you cant find the ip return false because it is not a valid user
if ip found then use geoplugin.net api to get user location via curl
eg:

$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "http://www.geoplugin.net/json.gp?ip=".$ip);
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, TRUE);
$ip_data_in = curl_exec($ch2); // string
curl_close($ch2);

this piece of code will return json data of the user ip
eg:

{
"geoplugin_request":"104.196.xx.xxx",
"geoplugin_status":200,
"geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",
"geoplugin_city":"Mountain View",
"geoplugin_region":"CA",
"geoplugin_areaCode":"650",
"geoplugin_dmaCode":"807",
"geoplugin_countryCode":"US",
"geoplugin_countryName":"United States",
"geoplugin_continentCode":"NA",
"geoplugin_latitude":"37.4192",
"geoplugin_longitude":"-122.0574",
"geoplugin_regionCode":"CA",
"geoplugin_regionName":"California",
"geoplugin_currencyCode":"USD",
"geoplugin_currencySymbol":"&#36;",
"geoplugin_currencySymbol_UTF8":"$",
"geoplugin_currencyConverter":1
}

now you can decode the json strings into php array and get the ip location eg: city, region, country
eg:

$ip_data = json_decode($ip_data_in,true);
$ip_data = str_replace('&quot;', '"', $ip_data);
if(isset($ip_data) && !empty($ip_data['geoplugin_countryName'])) {
$user_ip = trim($ip_data['geoplugin_request']);
$city = trim($ip_data['geoplugin_city']);
$region = trim($ip_data['geoplugin_region']);
$country = trim($ip_data['geoplugin_countryName']);

return $userData=array('userIP'=>$user_ip,'userCity'=>$city,'userRegion'=>$region,'userCountry'=>$country,);
}else{
return false;
}
so now the actual logic starts here, normally a server owner uses it home or office internet connection, never change its ISP frequently and also not use of proxy ips to login its server. so all the time server administrator use the same location. In my case my ISP provide mostly use three locations of my country and assign it to my ip.... my country never change but cities are changed when i reboot my router.
so the point is above code will return country and city as well... you can apply these check to restrict unwanted login attempt which is as follow:-

call this function at the very first line of index.php of phpmyadmin within <?php tag
$user_trace=ip_visitor_country();
$allowed_cntry = array('United States');
$allowed_city = array('New York', 'Los Angeles', 'Chicago');
if(!in_array($user_trace['userCity'], $allowed_city) || !in_array($user_trace['userCountry'], $allowed_cntry)){
echo "Access Denied";
die();
}

now the phpmyadmin will be only access in the United States within three locations 'New York', 'Los Angeles', 'Chicago'. other wise it will die the further execution of code.
as you all knows very well brute-force use script to change the ip on every attempt.
so the above code will not give them a single chance to reach at user and password fields...

if you like this method... you can use it and get tension free from brute forcing :)

Thanks

soldx
Posts: 7
Joined: Tue Apr 11, 2017 9:55 am

Re: [GUIDE] Secure PhpMyAdmin

Postby soldx » Mon May 15, 2017 8:28 pm

erldcrtz wrote:Add nameserver referral access only (you can only access phpmyadmin by clicking it from the control panel) also uses htaccess
1. open /usr/share/phpMyAdmin (centos 6)
2. create .htaccess file and paste the following code below (replacing the proper domain info server1.yourdomain.com)

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} !(server1.)?yourdomain.com
RewriteRule .* - [F]




Hi, If anyone has problems with the referer thing getting 403 ERR just change http for https

Cheers

mariad
Posts: 28
Joined: Fri Feb 17, 2017 5:34 am

Re: [GUIDE] Secure PhpMyAdmin

Postby mariad » Wed May 17, 2017 7:38 am

Thanks for the mention.

BardiaKh
Posts: 1
Joined: Thu Aug 24, 2017 12:23 pm

Re: [GUIDE] Secure PhpMyAdmin

Postby BardiaKh » Thu Aug 24, 2017 12:27 pm

erldcrtz wrote:Alternative (most recommended)


Enable SSL on phpmyadmin and access only from name server
1. create web domain using your name server (server1.myserver.com) with SSL support and nginx
2. edit /etc/httpd/conf.d/phpMyAdmin.conf (centos 6) and delete the following (see below) and save

Code: Select all

Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
   Order Deny,Allow
   Deny from All
   Allow from All
</Directory>


3. edit /home/admin/conf/web/shttpd.conf from step 1(see above) and paste the following (see below) before this line </VirtualHost> and save

Code: Select all

Alias /phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE /usr/share/phpMyAdmin

<Directory /usr/share/phpMyAdmin/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>

<Directory /usr/share/phpMyAdmin/scripts/>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
</Directory>


4. restart apache server
5. you may now access your phpmyadmin with SSL from only the domain name you made.

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE





Hi,
After doing these steps I receive 403 error when I go to the page

Code: Select all

https://server1.myserver.com/phpmyadmins-GENERATE-RANDOM-PASS-CODE-HERE


Can someone help me make this right?

Thanks,


Return to “Web Server”



Who is online

Users browsing this forum: No registered users and 6 guests